Wiz's Computer and Website Security Blog

It is a virtual certainty that if you have an email account and use it, your address will end up on one or more spam databases. No matter how well you protect your own equipment, you cannot say the same for all of your email recipients, or even newsletter senders. Spammers have ways and means of stealing email contact databases and spamming every address on those lists.

'Nuf said about how you got on spam lists. __it happens.

One of the long running email scams involves work at home schemes and the related field of money mule and drop reshipping recruitment. The email letters promoting these usually illegal activities start with what seems to be a friendly letter from someone who watched a program on a certain news channel and is now making big money by using that system. Since they care about you so much, they want you to benefit like they have. All you have to do is click on the link, read the information at the landing page and sign on.

The email come-ons mention how much money so and so made in just their first day or two, etc. The landing pages look like TV station pages with reports about an exciting work at home career opportunity. They even have videos purporting to be done by news reporters, about these so-called jobs. But, everything on these web pages is fake. It is a scam.

Before you click any such link, in an email about a work at home job, consider the following facts that I have pulled from my most recent work at home scam.

Anatomy of a recent work at home email scam

There it was, in my MailWasher Pro Inbox, not yet marked as good or spam, with the enticing subject: "Re: Imagine a great future online." The "Re:" at the beginning of the message makes it appear that the sender is responding to an email the recipient must have sent first. This is a common ruse used by many spammers. Sometimes they use "Fw" or "Fwd" to make it appear to be a forwarded message from some distant acquaintance.

I opened the message in plain text in the preview pane and here is part of what the body text contained:

Evening, so I was bored at work as per usual reading on FOXs county entrepreneur testimonials early last monday and saw some new online based job that helps retired school teachers constantly make up to $3700 per week or more and he didn't trust most of it at the beginning but for some reason we really had to give it a try and thankfully I did because I've somehow made $378.84 my very first day trying.

The message goes on to urge you to go to the website that is included in the message body. In this case, it was a domain that contained two important keywords for this type of scam: "income" and "home." Since most recipients of these email scams in English live in North America, England, Australia or New Zealand, they might expect that a website advertising work at home opportunities to them, in English, would be based in their own countries. If you think so, you are dead wrong!

The email came from a free Yahoo email account. It was either stolen by a key logger on a victim's computer, phished by a scam email, hacked by using a dictionary attack to guess the password, or created by a spambot. One good feature of email sent through Yahoo mail servers is that the originating IP is listed below a huge line of tracking codes. In this case, the originating IP was: 217.79.87.227 - which when run through a "Whois" look-up turns out to be assigned to an ISP in Bulgaria.

Are you suspicious yet? Ya should be! The email that appears to come from an acquaintance on Yahoo was actually relayed by Yahoo from an Internet Service customer somewhere in Bulgaria. Got friends in Bulgaria? Not me!

Let's light up and move along (as Bocephus says). What about the link where we can read the same information that helped our mysterious benefactor earn $378.84 on his very first day? A Whois on the domain reveals that it is definitely not in the good old USA (where I live and the email was sent). Rather, the domain in the link is actually registered in --- (drum roll) ---The Ukraine!

More exposé: The Domain in question has a creation date of: 26-Oct-2011. As I write this it is 31 Oct, 2011. That means the news event and entire story was only created and registered 5 days ago. That's some hot story, huh? NOT! The "Name Servers" used to deliver the website to victims, er visitors, are Russian servers:
ns1.homebiz16now.ru
ns2.homebiz16now.ru
ns3.homebiz16now.ru

In case you are thinking that some otherwise decent chap in the States chose to register his web domain in Russia to save money, you're wrong again. The Registrant is listed as:

Svetlana Poltavceva
ul. Leninskaya 17 43
Yubileynyy, 141090
RUSSIAN FEDERATION

Okay. The email came from Bulgaria. The website in the message is Registered in the Ukraine by a Russian woman (allegedly). But, where is the website "hosted?"

IP Address: 94.63.243.128
ASN: AS30890
IP Location: Romania

Do you really think you are going to learn the secrets to wealth by visiting a website advertised by spam email, sent from Bulgaria, Registered in The Ukraine by a Russian Citizen residing in Russia, through a website hosted in Romania, the home of Count Dracula? I think not!

The only wealth being generated by these websites is the wealth earned by the cyber crooks running this scam, as they take your money and deliver nothing, Or, worse, take your money and your credit card details and sell them on a Russian carders forum.

The only good place for these and all other work at home scams is in the deleted items folder, which should be emptied every time you close your email client!

If you want to learn more about the email spam filtering program I mentioned earlier in this article, go to my MailWasher Pro page. I write spam filters for MailWasher, some of which block work at home scams and many other past and current email threats.

If you are curious about how I read the headers to trace this email, read my blog article about "How to display the headers of spam/scam emails."

Posted by Wiz at 11:22 PM | Permalink

back to top ^

This morning I received a new scam email claiming to come from [email protected], containing the following come-on text:

You will not be able to access your Intuit QuickBooks account without Intuit Security Tool (ISTâ„¢) after 31th of October, 2011.
You can download Intuit Security Tool here...

The camouflaged link had a .nl domain, so I plugged it into Wannabrowser and followed multiple redirects, ending up in Russia.

The first location, a compromised, or exploited server in The Netherlands (within 87.233.0.0/18), contained three links to JavaScript files on three different compromised domains. All three files were named js.js and contained another redirection to a subdomain of a domain named "serveirc.com" - hosted on no-ip.com, which bills itself as: "Dynamic DNS, Static DNS for Your Dynamic IP." The redirect from no-ip.com went to a server in Moscow, Russia, where I have traced much badware in recent weeks. The destination page is either cloaked to me, or devoid of content (possibly from SpamCop reports, such as I filed).

The Russian company hosting these exploits is named "Serverfarm" and owns the domain: MSM.RU. The IP hosting the QuickBooks scam exploit (95.163.89.193) is part of the CIDR: 95.163.0.0/16 - which is already on my Russian Blocklist, for hosting previous exploits.

FYI: the payload page is named: /main.php?page=b0374286c079f294

This scam is no different than its predecessors, the Scan From A Xerox Workstation and Scan From An HP Printer, both of which led to malware exploit kits that infected victim computers with the Zeus Trojan and a botnet installer. Delete such emails on sight.

Note: if you are a QuickBooks (actually intuit.com) customer and receive a questionable email claiming to be from them, hover your mouse over the links without clicking on them, to make sure they all point to intuit.com. This scam had a link on the word "here" which was the only one leading to the exploit site. Look closely at the links in action words. The actual destination will be revealed in your statue bar. If the action link doe not go directly to intuit.com, it is a scam, meant to harm your computer and steal money from your business.

Posted by Wiz at 10:26 AM | Permalink

back to top ^

In case you didn't know it, spam levels have increased dramatically this week. For the first time in about a year, my own spam level has reached 60%. This is up 12% from last week. While the actual amount of spam has increased, the subjects and scams have not changed much. Only the percentages by category are changed this week.

For those who haven't read my spam reports before, I employ an email screening program named MailWasher Pro to act as a filter for known, or suspected spam, scams and virus threats. I obtain statistics at the end of each week, for each category of spam, based upon filters I write and publish (for other MailWasher Pro users).

The number of threats arriving in spam email was greatly reduced from the previous month. There were just a handful of ACH and Wire Transfer Rejected scams. They all contained links leading to Russian, Romanian, or Ukrainian malware servers. All spam for pirated software is still hosted on Ukrainian domains, ending in .COM.UA. Most of the rest of the spam this week was hosted on Russian .RU domains. This is especially true for the numerous Russian Bride online dating scams.

Let's look at my spam statistics for the week ending Oct 30, 2011, as obtained from my anti-spam program: MailWasher Pro.

During the last week I received about 460 email messages, to all of my accounts. Of those, 280 were classified as spam by MailWasher Pro. That is about 60%. My custom Blacklist did extremely well in blocking all manner of spam and scams sent from domains on my blacklist.

Here are the categories of spam as classified by my custom spam filters.

Blacklisted senders, from my own blacklist: 29.29%
Ukrainian Spam Domain Links: 19.29%
Counterfeit Watches: 15.36%
Russian Dating Scams: 8.93%
Male Enhancement: 8.57%
Fake Diplomas: 4.29%
Cialis: 4.29%
Weight Loss Pills (HCG): 2.86%
Russian Spam Domain Links (.RU):2.14%
Pharmaceuticals: 1.43%
DNS Blacklists: 1.43%
Pirated Software: 1.07%
URL Shortener Spam Links: 1.07%

The above stats were derived from MailWasher Pro and most were classified by anti-spam filters I write and publish. I frequently update these filters. The following updates were made to my spam filters this week.

Russian Bride Scam

I made no additions to my custom blacklist (wildcard expression):



I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Posted by Wiz at 4:14 PM | Permalink

back to top ^

Spam is definitely increasing, compared to one month ago. For the last month it hovered around the 40% level. Now, it it approaching 50% of my incoming email. This may not jive with your figures, but my amount of good mail is fairly consistent, so my spam percentages are measurable.

Last summer saw spam levels drop way down, but I am not surprised at this constant increase. New spammers are being recruited and my guess is that the spam class of 2011 has graduated. These fools pay to get into the spam game, hoping to find enough suckers to make a big profit. Spammers are paid for leads, sales, credit card number theft and computer infections.

The biggest categories have not changed much over the last few years. I saw a lot of junk mail for Fake pharmaceuticals, male enhancement pills, weight loss capsules, pirated software, fake diplomas and some Nigerian 419 and lottery scams. What is interesting is the resurgence of Russian Bride dating scams.

The worst threats delivered via email were ACH fraud scams, containing links leading to infection of computers. The predominant infection from following the links in these scams is the Zbot, a.k.a Zeus Trojan, plus a Botnet installer. The Zeus hides and watches for you to login to your financial institution, then steals your credentials and money. it is also used to commit identity theft. I have a custom spam filter that blocks ACH scams.

Almost all of the spam I received last week had links to Russian or Ukrainian domains. They don't even try to cloak the links. Lax enforcement in Russia and The Ukraine makes it relatively easy for counterfeiters, fake pharmacies and software pirates to conduct illegal or shady businesses, without much fear of arrest. There are some high level arrests, now and then, but they are just the tip of the iceberg. There are more Russian spammers and Bot-Masters than their police can investigate. For every top spammer busted, five more seem to take his place.

Let's look at my spam statistics for the week ending Oct 23, 2011, as obtained from my anti-spam program: MailWasher Pro.

During the last week I received about 520 email messages, to all of my accounts. Of those, 250 were classified as spam by MailWasher Pro. That is about 48%.

Here are the categories of spam as classified by my custom spam filters.

Blacklisted senders, from my own blacklist: 17.05%
Ukrainian Spam Domain Links: 16.59%
Male Enhancement: 16.59%
Weight Loss Pills (HCG): 12.90%
Russian Spam Domain Links (.RU): 8.29%
Counterfeit Watches: 7.83%
Cialis: 6.91%
Other misc filters: 5.99%
Russian Dating Scams: 3.23%
Pirated Software: 1.84%
Fake Diplomas: 1.38%
Viagra: 1.38%

The above stats were derived from MailWasher Pro and most were classified by anti-spam filters I write and publish. I frequently update these filters. The following updates were made to my spam filters this week.

Known Spam Domains.
Lottery Scams,
Software Spam [S],
New Filters: ".Info Sender and Link" and ".Info Sender"

I made one addition to my custom blacklist (wildcard expression):

[email protected]

I publish filters for both the old and new versions of MailWasher Pro. However, the new version allows for more lines of conditions than the previous ones. If you use a desktop application to send and receive POP3 email, MailWasher can act as a spam filter before you download email to your email client. You can learn more about the program, download a trial version, or purchase a subscription, at the MailWasher Pro website.

Posted by Wiz at 11:52 PM | Permalink

back to top ^

Software piracy has been a problem for over 2 decades, for the companies who invest time and money into the development and updating of the computer programs they offer for sale. After all, commercial businesses distribute computer software (a.k.a. programs), in the hopes of at least covering their costs, or maybe even making a profit, from the sales of licenses to use their intellectual property.

Standing in the way of profits are low life gangs of modern day pirates who obtain copies of popular commercial software, which they duplicate illegally and sell without permission from the legitimate copyright holders. In order to use these programs buyers must have a license code. In some cases, the software piracy gangs bribe insiders to steal actual bulk license keys from large businesses who pay huge fees to get bulk licensing for their multitudes of employees. They then re-issue these unlawfully obtained license codes to people who purchase pirated software from them.

It doesn't take too long for the companies being ripped off to learn which product keys are being distributed with pirated copies of their programs. As these keys are discovered, they are blacklisted. After that happens, the next time a buyer of that software checks for updates (manually or automatically), the program will become unlicensed and cease functioning properly, if at all. It is at that moment that many buyers realize that they have been ripped off.

But, not all pirated programs ship with stolen keys. Some have been recompiled to include embedded bulk license keys, which eventually fail, plus a little something extra to pad the profits of the gangs who sell pirated software at very low prices. That something extra is an embedded Trojan Horse remote control backdoor (botnet, etc).

I have been following the sources of pirated software for several years now and have learned that most of it is being distributed by Russian and Ukrainian criminals. During the last summer most of the domains used in email spam promoting pirated software ended in .RU. Those are Russian domains, registered in Russia.

Sadly, most of the actual websites are hosted in Czechoslovakia, on hijacked broadband PCs, or on web servers owned or leased by people involved with the crooks. All of the pirated software websites are running on the Russian Nginx web server.

Toward the end of August the Russian software piracy gangs began registering their domains with a new second level name that belongs to the Ukraine: .COM.UA. In order to register such a domain, one must possess a business license issued to a Ukrainian company. Since that time, most spam for pirated software contains a link ending in .com.ua.

Now, in mid October, 2011, the pirates have begun to use a new domain run by Google. It is a URL shortener system, named "goo.gl." They are now using a mixture of links pointing to shortened links on Goo.gl and to .com.ua domains. The Goo.gl links all contain instant redirection to an intermediate domain, which instantly redirects to a Ukrainian domain, where the pirated software is sold.

In case it isn't obvious, these websites are fly by night domains, set up from spam templates, run by cyber criminals in Russia. Anybody who is foolish enough to purchase anything from those websites has given their credit or debit card number to criminal gangs in far away places, with less than stellar enforcement of piracy or credit card fraud complaints. Buyers may lose a lot more than the money they paid for the soon to stop working pirated software!

My advice is simple. If you want a particular software program, save up and buy it from a legitimate source, authorized by the copyright holder. Commercial companies frequently offer coupons and seasonal discounts, which you can wait for and take advantage of. Many also offer very significant discounts to existing versions in July and August, as they prepare to release newer versions in or around September. These discounted programs usually come with either a free upgrade to the new version, or a very low upgrade price.

If you buy legally licensed software, you know that it won't suddenly stop working due to it being pirated. If you have issues with it, you are entitled to support from the makers. You won't have installed a botnet backdoor with it and your credit card won't have been handed over willingly to Eastern European cyber criminals.

Posted by Wiz at 3:36 PM | Permalink

back to top ^

I was reading my website's raw access logs today and saw that one visitor arrived on my blog when he or she searched Google for this phrase: ach+payment+canceled+spam+how+to+stop. This article will offer suggestions to block such messages from your inbox.

First of all, you need to understand that you are not alone in being a scam and spam recipient. Almost everybody who sends, receives, forwards or replies to any email message will probably end up on some spam database eventually. Master Spammers compile email address databases using various means. Then, these addresses are sorted by country and sold to other, second level spammers. These spammers then rent the use of botnets to blast out ginormous amounts of spam email, to promote various products and services, for which the spammers are affiliates (paid by the sale, or per infection, or referral).

The ACH payment canceled scam which my visitor was asking about is not your typical type of spam message. It comes under the category I call "mal-mail," meaning it contains either a malware laden attachment, or a link to malware exploit attacks or downloads. This is a very dangerous class of email to allow into your computer's email client.

Here are some methods you can try to use to block the ACH scam emails from your inbox.

The solution I use and have been using since about the year 2000, is a desktop program that receives my email first, then analyzes it, then either leaves it available, or deletes it from the server. These decisions are based on several criteria, including one's own self created friends and black lists, checking world wide blocklists (e.g. SpamCop, Spamhaus, etc), a spam detection system of their own called FirstAlert, a learning filter and best of all, the use of user generated custom spam filters.

That program is named MailWasher Pro. It is written in New Zealand, by a company named Firetrust. The fact that one can write their own spam filters, or download the anti-spam filters I write and publish, enables people using this program to filter out such email-borne scams as the ACH Canceled Payment malware scams.

First of all, let me tell you who can or cannot use MailWasher Pro. If you fall into the latter group, skip this section and read about possible Webmail solutions.

You can use MailWasher Pro if you use a desktop program, known as an "email client" to send and receive email, via the POP3 or IMAP email protocol. It also works with Hotmail. Mailwasher does not work with browser based email. So, if you use your web browser to log onto Yahoo, or AOL, to do email, MailWasher cannot intercept your messages at all.

Common desktop email clients include the out-dated Outlook Express, Microsoft Outlook, Windows Live Mail, Mozilla Thunderbird, Pegasus (if still exists), or any other stand alone desktop email client that uses POP3 or IMAP email systems, rather then HTTP.

Normally, people using a desktop email client will set their preferences to automatically check for new messages at a certain interval. Some folks allow read email to remain on the email server for X days. Others, like me, delete it from the mail server as soon as we download it to our computers. If you get a lot of spam, like most folks do, you won't want to leave those messages on your email server. In that case, your best solution id to apply the option to delete them from the server when you empty your email client's Deleted Items folder. Most email clients have a checkbox to do this automatically, when you close the program.

In order to fully benefit from the spam filtering abilities of MailWasher Pro, you need to disable the automatic checking for email option in your email client. You'll let MailWasher do the checking for and filtering new messages at your preferred interval, then manually download the desired non-spam messages to your email client, using whatever button performs the Send/Receive function.

Without any further ado, here is my current set of custom filter rules to detect and block the current ACH scams. It uses a combination of plain text and "Regular Expressions" (RegEx) rules.

This filter is for the old version 6.x of MailWasher Pro. Select option for ALL of the following rules:

Body, contains: ACH
Body, contains: Transaction
Body, contains: Report
Body, contains, RegEx: Cancell?ed
Body, contains, RegEx: financial\ (body|institution)|bank
Body, contains, RegEx: details\ in\ the\ attachment|nacha\.(org|net|us)/reports?/|(?-i)Transaction\ Report:

Here is my ACH filter for the new XML version of MailWasher Pro. Select option to apply ALL of these conditions:

Entire message contains RegEx: (?-i)\bACH\b
Body, contains, plain text: Transaction
Body, contains, plain text: Report
Body, contains, RegEx: Cancell?ed
Body, contains, RegEx: financial\ (body|institution)|bank
Body, contains, RegEx: details\ in\ the\ attachment|nacha\.(org|net|us)/reports?/|(?-i)Transaction\ Report:

If you prefer to use my already compiled MailWasher spam filters, you can read about their use and download them from my Wizcrafts' Custom MailWasher Pro Filters page. There are filters for the old and new versions of MailWasher.

If you don't use MailWasher Pro, but do use a desktop email client, if it has "email rules" you can create, or "junk rules," create a new rule using the same criteria as I use in the MailWasher filters. If your email client allows the use of "Entire Message" then use the second set of rules. If not, use the first set. Make sure you choose the option for ALL of the conditions you add to the new email rule. For the action, you can choose "Delete" or "Delete it from the Server" - which means you never even see it.

As an example, here is how you can compose an ACH Fraud filter rule if you use Windows Live Mail or Outlook Express:

With the email client open, search your various options until you find the section that creates email/junk rules. Start a new rule, name it ACH Fraud, add the following rules and set them all to use AND rather than OR.

Where the Subject contains: ACH
AND
Where the message body contains specific words: ACH
AND
Where the message body contains specific words: Transaction
AND
Where the Body contains: Report
AND
Where the Body contains: cancel

Action: Delete or Delete from server.

Move this rule high up if you have other rules. The rules you can create in Outlook Express and Windows Live Mail do not allow for the use of Regular Expressions. Thus, you have to match spam with fewer conditions. This could lead to a false positive. It might be safer for you to set the action of such a filter to Delete, giving you a chance to look it over (in the Deleted folder), or better, view its Properties in safe, plain text.

If you use a different POP email client, read the Help file to learn how to create spam rules in it.

Webmail spam filters

Here is where you really are at the mercy of your email provider. Most free email systems provide you with the ability to block senders by name or domain, but not to create special rules based on words and phrases. Blocking the senders in spam messages only works if the sender contains a known spam word (like Viagra, Cialis, ACH, etc).

If you use Yahoo web mail, your "options" are severely limited for creating custom filters. You are allowed to specify a sender's account, or a partial email address. You can specify a word or phrase in the subject and another in the body and a few more items. Then, you set the action to send matching messages to the Trash. Finally, Yahoo has a checkbox option to send suspected spam to the Junk folder, which has the follow-up option to delete immediately, or once a week, every 2 weeks, or every month.

Users of Microsoft's Hotmail service, via their browser, are also limited in the spam filtering department. Once you login to your inbox, look over the the right top side and click on Options, then on More Options, fro the flyout menu. Under "Preventing junk email" click on Filters.and Reporting. The options for dealing with spam are pathetic. You can choose between "standard" or exclusive routing of mail. Standard means that Hotmail decides what is spam and what is not. It routs suspected spam to the Junk folder. Exclusive means that only senders you placed on the "safe list" are sent to your inbox. All other email goes to your Junk folder. That folder gets emptied every 10 days. Period. That's it. You can choose to report spam or not.

Posted by Wiz at 12:24 PM | Permalink

back to top ^

There is a currently ongoing spam campaign which sends an official looking document, with images from the US Internal Revenue Service. The subject and body refer to a tax return problem. The recipient is told to read the report at IRS.gov, but the link provided goes offshore, to a look-alike scam web page, serving malware.

I traced down one of these scams that came in today (Oct 10, 2011) and here are my findings.

The link in the email, falsely claiming to go to a report page at the irs.gov, actually led to a website named http://systrmp.com (using standard html code to link to one place, but show the user a different destination). If the intended victim was to hover their mouse or pointer over that link before clicking on it, they would see the true destination in the Status Bar of their email reader (browser or standalone desktop email client).

The message body is written to cause panic in the recipients, causing some to blindly click on the link, without checking out the destination first. Here are the words used to panic recipients into action:

Notice ID: CEXOSTSZUJ8747
Notice: CP01H
Tax year: 2011
Notice date: Mon, 10 Oct 2011 09:11:50 +0100
Page 1 of 1

Important information about your tax return
We are unable to process your tax return

We received your tax return. However, we are unable to process the return as filed.

Our records indicate that the person identified as the primary taxpayer or spouse on the tax return was deceased prior to the tax year shown on the tax form. Our records are based on information received from the Social Security Administration.
Based on this information, the tax account for this individual has been locked.

What you need to do

Visit review page on irs.gov (<-- Hostile link goes here)
Keep this notice for your records.
Department of Treasury
Internal Revenue Service

Following that link leads to a web page hosted on a compromised (botted) computer, running on a Russian Nginx web server. The responding IP varies every few minutes. The web page looks like an official IRS page and even contains some links to the actual IRS website. Far down the page is a line of large, bold text, with a single link which reads as follows:

What you need to do

Carefully review your tax return (self-extracting archive file)...

The link around the words your tax return go directly to a file named "archive.exe" - which, according to file analysis at VirusTotal.com, is the infamous Zbot, aka Zeus Trojan. As of the time I published this, only 15 of 43 anti-malware companies detected this threat. Trend Micro was among the first to detect and block it, for their users. Trend Micro security programs also remove it and all of its components.

The Zbot/Zeus Trojan is a password stealing key logger. It silently hides and waits for you to log into your online bank, or another targeted financial or auction site, then steals your credentials, sending them home to the crime gang behind this scam.

NB: As that fake IRS page is loading, so is a 1x1 pixel iframe, with its destination a server in Russia. It attempts to serve a malware exploit kit as the victim is reading his fake notice. That server has no content at this time, but it may be reloaded later on. Anybody who goes to that website and gets redirected to the Russian exploit server (by an iframe invisibly loading), with a browser that is not 100% patched against 3rd party plug-in exploits (e.g: Java, Flash, Shockwave, PDF Reader, browser version, ActiveX, etc), will be in danger of having the payload delivered without their knowledge.

Posted by Wiz at 11:43 AM | Permalink

back to top ^

Despite the takedown of several of the top spam botnets this year, spam levels have remained at the same level of 40%. Most spam this week was still promoting Russian and Ukrainian domains, pushing counterfeit drugs, pirated software, replica ripoff watches, malware exploits and dating scams.

There is a trend that began developing a few weeks ago. That is the registration of spam domains ending in .com.ua, which is a new type of Ukrainian domain. The domains being spamvertised with links ending in ".com.ua" are spamming pirated software, fake watches, Russian and Ukrainian dating scams, fake Cialis, Viagra and other illegal to import (into the US and Canada) prescription drugs.

There was a big decline in the amount of spam emails that actually carried a malware payload in an attachment. They were replaced with several threats that use links to exploit their victims, rather than attached files. The end result is the same for those tricked into clicking those links: bots and various Trojan downloaders.

I compile my spam statistics from my spam screening program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client. The categories represent custom spam filters which I write and publish.

The following are a list of categories of spam received this week, ranked by percentage, highest first.

Spam Statistics for October 2 - 9, 2011, inclusive, with percentages of spam by category of filter.

My Custom Blacklist: 13.64%
Male Enhancement: 18.18%
Ukrainian Spam Domains (.com.us): 9.09%
Viagra Spam: 4.55%
Pharmaceutical Spam: 10.91%
Cialis (counterfeit): 5.45%
Counterfeit Watches: 10.91%
Miscellaneous filters ("Other" category in MWP): 7.27%
Fake IRS Notices (Links to malware): 3.64%
Zip Attachments (Malware): 3.64%
Weight Loss scams (HCG):3.64%
Dating Scams (Russian and Ukrainian "women"): 3.64%

Updates to my Custom MailWasher Filters:

ACH Fraud,
Base 64 Encoded Body,
Dating Spam,
Russian Bride Scam.
New Filter: Fake IRS Notice

New Blacklist entries:
None this week

Note: I write and publish custom spam filters for both the old and new versions of MailWasher Pro.

I use and recommend MailWasher Pro (2011) to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client.

Posted by Wiz at 3:42 PM | Permalink

back to top ^

Another week has gone by and spam levels have remained fairly static, at the same level (just under 40%) as the previous week. Most spam this week was promoting Russian and Ukrainian domains, pushing counterfeit drugs, pirated software, replica ripoff watches and dating scams.

Thankfully, there was a big decline in the number of scam emails containing malware in attachments, or at the end of hyperlinks. I did see a lot more spam messages for pirated software, all hosted on Ukrainian domains, ending with .com.ua. Also on those domains were male enhancement scams, weight loss, and someone named Elina who is looking for a man, but has an email address beginning with Maria.

Not to be left out, there were several Nigerian 419 scams and lots of junk mail for fake Cialis and Viagra. What few ACH Transaction Canceled scams I saw ended about mid-week. I have blogged about these threats numerous times since late August 2011. Search this blog for details about the ACH and FDIC scams leading to malware exploits and botnets.

The following are a list of categories of spam received this week, ranked by percentage, highest first.

I compile my spam statistics from my spam screening program MailWasher Pro, which I use to filter out spam, malware attachments and dangerous links, before downloading any messages to Windows Live Mail, which is my desktop email client.

Spam Statistics for September 26 through October 2, 2011 (compiled at about Midnight, with percentages of spam by category of filter.

My Custom Blacklist: 25.28%
Male Enhancement: 13.48%
Ukrainian Spam Domains (.com.us): 10.11%
Viagra Spam: 8.99%
Pharmaceutical Spam: 8.43%
Cialis (counterfeit): 7.30%
Counterfeit Watches: 7.30%
Miscellaneous filters: 5.62%
Weight Loss scams (HCG):5.06%
Pills Spam: 2.93%
Fake diplomas: 1.69%
Email Addresses for Sale (Spammer to Spammer): 1.69%
DNS Blacklisted Email Servers: 1.12%

Updates to my Custom MailWasher Filters:

Courier Scam #2 (UPS)
New Filter: .com.ua (Ukrainian) spam domain

New Blacklist entries:
None this week

Note: I write and publish custom spam filters for both the old and new versions of MailWasher Pro.

I use and recommend MailWasher Pro (2011) to screen my incoming POP3 email for spam, scams and virus threats, before downloading anything to my Windows Live Mail email client.

Posted by Wiz at 11:20 PM | Permalink

back to top ^

For the past couple of months I have had a beta version of Spybot Search and Destroy 2.0 installed on my Windows 7 computer. At first glance, it appears to have been functioning perfectly. but, sometimes things aren't as they seem.

For the past week or so I have been fighting with two very annoying problems, which I tried to fix by running SFC /ScanNow, then a complete in-place reinstallation of Windows 7. The two issues were as follows.

1: Whenever I clicked on a browser "mailto" link to send email from Windows Live Mail, or to "send a link" to a page (via WLM), the browse would crash. This happened on all three of my installed browsers: Microsoft IE9, Firefox 6.02 through 7.01 and the latest Google Chrome.

2: When I opened an Explorer window to view files in a drive or folder, then tried to alter the "View" settings, or click on the "Organize" button, the Explorer windows would become unresponsive and crash (close).

As I mentioned before, I tried using the System File Checker, but it found nothing wrong. Yesterday, I performed an in-place reinstallation of Windows 7, which is not a trivial task. This reinstallation required me to re-run Windows Updates several times to get up to date with patches. But, one update kept failing to take: Internet Explorer 9.0. I tried installing it no less than 7 times, rebooting after each failed upgrade. Nada. Nyet.

I updated my security programs: Trend Micro Internet Security and Malwarebytes Anti-Malware and scanned with both. Neither found any problems. I even resorted to rewriting the Master Boot Record, to no avail. Hmmmm. The game is afoot Watson!

Since the standard repairs to my computer failed to produce the desired results I put on my thinking cap. What, besides corrupted system files could interfere with functions like browser links to open a new email message, or altering an Explorer view? Why, it could only be a system watching program. I only had two programs that performed real time monitoring of my activities: Trend Micro Internet Security and Spybot S&D, 2.0 Beta. Watson, I do believe we have our suspect!!!

On a hunch (I am good with hunches) I uninstalled Spybot S&D 2.0 Beta and rebooted. When I logged back into Windows and opened my default browser (Firefox) to a saved page, I went directly to File > "Send link..." I held my breath as I waited for the browser to crash ... but it didn't! Instead, a new email message box appeared, just like it's supposed to! The link was already filled in and everything was good in Whoville again.

I opened an Explorer window and played with every View and Organize setting. Everything worked, without any crashes. Then I went back to Windows Update and tried to upgrade IE to version 9.0. This time it worked! Spybot's "TeaTimer" (a real time protection module) was blocking the upgrade to IE 9.0! It did this to "protect" the browser from "hijacking!"

The lesson I learned and am passing on to you is this. If you choose to install "beta" software, even from a company you know and trust, don't be surprised if strange things begin to happen to your computer. It may take a while to manifest itself, but beta software is called that because it is still in test phase. It was not released through the normal update channel, but was offered because I had selected the option to check for and install beta updates to Spybot S&D. My bad.

So, if like me, you installed Spybot 2.0 Beta and are experiencing browser and Explorer crashes when you try to use certain built-in link functions (which call other programs to open), first try closing TeaTimer. I'll wager that this allows the link to function normally. If this works, you can either disable the TeaTimer real time monitor, or uninstall the program, as I did. I already had plenty of protection from Trend Micro, by browsing with the latest version of Firefox, with the NoScript Add-on, and by running as a "Standard User" rather than an Administrator.

If any of you are still operating as Computer Administrators, for your daily browsing and email, you are totally at risk of having your PC taken over by a sneak malware attack. By reducing your normal account to a Standard User (Windows Vista and 7), or Limited User (Windows XP Home, or Power User (XP Pro), you reduce the likelihood of malware completely taking over the PC. If you need more information about how to reduce your user account privileges, read my web page about User Privileges.

Posted by Wiz at 5:48 PM | Permalink

back to top ^